Outbound email error: "Client network socket disconnected before secure TLS connection was established"
-
Running into an issue with one particular mail server for a recipient. My emails aren't arriving at all. I see the following in the logs when it tries to send my message:
2020-11-24T01:21:09.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Looking up A records for: gw6158.fortimail.com 2020-11-24T01:21:09.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Attempting to deliver to: 173.243.136.158:25 (0) (8) 2020-11-24T01:21:10.000Z [ERROR] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Ongoing connection failed to 173.243.136.158:25 : Error: Client network socket disconnected before secure TLS connection was established 2020-11-24T01:21:10.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Temp failing 1606179904597_1606180869126_4_87_95hV7K_3760_88af3024f7bc for 1024 seconds: Tried all MXsSo it tries later and basically is in a loop as it can't succeed. It seems like the backend isn't even responding, but their mail server is definitely working because another client working with alongside (but not at) this other company is receiving mail just fine. Also other mail is being sent and received successfully to other recipients across all sorts of domains. This makes me think it's an issue with their mail server but they seem to have no trouble receiving from anyone else, so I can't quite narrow this down where the issue is.
I think this is unlikely to be a Cloudron issue, but wanted to raise it here in case anyone else has come across this and in case this is some sort of TLS-type compatibility issue. I'm usually pretty good at troubleshooting email issues but this one I can't quite figure out and it's also a bit time-sensitive in nature unfortunately.
I kind of want to say this is a TLS-based issue where the backend requires a certain TLS protocol version which isn't supported / being used from Cloudron server, that's usually where I see "Client network socket disconnected before secure TLS connection was established" with regards to other HTTP services anyways, just never seen it in SMTP before.
Any ideas on the above?
--
Dustin Dauncey
www.d19.ca -
To my surprise, Fortinet's "fortimail" server isn't quite as secure as it should be when it comes to the certificate and server set... according to https://www.ssllabs.com/ssltest/analyze.html?d=gw6158.fortimail.com
It seems to support all TLS versions though and many ciphers. Is it possible there's a rare incompatibility here though? I'm not sure how to determine that in Cloudron to know what ciphers are used during negotiation.
-
I see https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L75 has the cipher suites but it's for Nginx, is that same list used for the Cloudron mail server outbound?
-
Running into an issue with one particular mail server for a recipient. My emails aren't arriving at all. I see the following in the logs when it tries to send my message:
2020-11-24T01:21:09.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Looking up A records for: gw6158.fortimail.com 2020-11-24T01:21:09.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Attempting to deliver to: 173.243.136.158:25 (0) (8) 2020-11-24T01:21:10.000Z [ERROR] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Ongoing connection failed to 173.243.136.158:25 : Error: Client network socket disconnected before secure TLS connection was established 2020-11-24T01:21:10.000Z [INFO] [528A8DBB-ECC3-43B8-8D2E-DC65014EC9C5.1.1] [outbound] Temp failing 1606179904597_1606180869126_4_87_95hV7K_3760_88af3024f7bc for 1024 seconds: Tried all MXsSo it tries later and basically is in a loop as it can't succeed. It seems like the backend isn't even responding, but their mail server is definitely working because another client working with alongside (but not at) this other company is receiving mail just fine. Also other mail is being sent and received successfully to other recipients across all sorts of domains. This makes me think it's an issue with their mail server but they seem to have no trouble receiving from anyone else, so I can't quite narrow this down where the issue is.
I think this is unlikely to be a Cloudron issue, but wanted to raise it here in case anyone else has come across this and in case this is some sort of TLS-type compatibility issue. I'm usually pretty good at troubleshooting email issues but this one I can't quite figure out and it's also a bit time-sensitive in nature unfortunately.
I kind of want to say this is a TLS-based issue where the backend requires a certain TLS protocol version which isn't supported / being used from Cloudron server, that's usually where I see "Client network socket disconnected before secure TLS connection was established" with regards to other HTTP services anyways, just never seen it in SMTP before.
Any ideas on the above?
@d19dotca Could it be that the server needs TLS 1.0 or something ? We disable support for it since it has been long insecure but I do know that many mail servers still seem to hold on to it. https://forum.cloudron.io/post/9500 has a workaround. Can you tell me if it works after that ?
-
@d19dotca Could it be that the server needs TLS 1.0 or something ? We disable support for it since it has been long insecure but I do know that many mail servers still seem to hold on to it. https://forum.cloudron.io/post/9500 has a workaround. Can you tell me if it works after that ?
-
@girish I'll try as soon as I can later today, but according to the SSLlabs report above their backend supports TLSv1.2 to the older TLSv1.0, so it should be fine to talk on TLSv1.2 from what I can tell.
-
@d19dotca I thing this sslabs thing checks their web server ssl config, not their mail server tls config
@mehdi Oh does it? Ah, interesting it that's the case. Are you aware of any method for me to determine what the receiving mail server supports for TLS protocols and cipher suites? I haven't quite figured that out yet. I'm used to just openSSL for HTTP requests and SSLlabs, but if they don't really apply then to mail servers to reflect what the mail servers will see when they talk to each other then I guess that won't help me too much yet, so trying to find a way to find that data.
--
Dustin Dauncey
www.d19.ca -
@mehdi Oh does it? Ah, interesting it that's the case. Are you aware of any method for me to determine what the receiving mail server supports for TLS protocols and cipher suites? I haven't quite figured that out yet. I'm used to just openSSL for HTTP requests and SSLlabs, but if they don't really apply then to mail servers to reflect what the mail servers will see when they talk to each other then I guess that won't help me too much yet, so trying to find a way to find that data.
-
@d19dotca https://ssl-tools.net/mailservers/gw6158.fortimail.com it seems it also runs into a problem "unexpected EOF"
-
@mehdi Oh does it? Ah, interesting it that's the case. Are you aware of any method for me to determine what the receiving mail server supports for TLS protocols and cipher suites? I haven't quite figured that out yet. I'm used to just openSSL for HTTP requests and SSLlabs, but if they don't really apply then to mail servers to reflect what the mail servers will see when they talk to each other then I guess that won't help me too much yet, so trying to find a way to find that data.
@d19dotca said in Outbound email error: "Client network socket disconnected before secure TLS connection was established":
Are you aware of any method for me to determine what the receiving mail server supports for TLS protocols and cipher suites?
You can try something like
openssl s_client -starttls smtp -connect server:25. Note that usually you have to do this from a real server and not from your laptop, since most residential networks will block outbound port 25.There is also a better tool for SMTP connection testing, it's at the tip of my tongue...
Edit: gnutls-cli is the tool. It has some feature which openssl s_client does not support. I can't seem to remember what exactly.
